1. I am using my own MVC implementation and I am not sure, whether the Spring Security isn’t designed specifically for the Spring MVC implementation. Is it still okay to use it?

2. It is not clear to me, which parts of Spring Security I should use and which I don’t need to. I suppose I don’t need the URL filters as I need to validate the access specifically on the URL parameters in my controllers (for instance to check whether User is the owner of the Article). Something like:

   if (request.getUser().isAllowedTo("EditArticle", 27)) {...}
   if (request.getUser().isAllowedTo("CategoryManager", 123)) {...}
   if (request.getUser().isInRole("Admin")) {...}
   

3. I could not find some clear way of users logging in/out programmatically. I’ve implemented my UserDetails and UserDetailsService classes to handle the users with JPA, but I don’t see a way, how I can proceed with login and logout in my controllers.

EDIT:

I don’t see a way how to put the <form> in my Freemarker templates – the only way of creating the form I found is with:

<http pattern="/login.htm*" security="none"/>
    <form-login login-page="/login.htm" default-target-url="/home.htm"/>
</http>

How can I configure the structure of the login form? Can I create it by myself?

What I would like the most is to be able to handle the login by myself (for example with DWR) and not to use the magic j_security_checks…

It would be great, if I could handle the login request by myself and ask the auth service to login the user by myself (so I could easily use Direct Web Remoting (DWR)):

 if (user.username.ok() and user.password.ok()) {
     authService.setUser(user);
     authService.setLoggedIn(true);
 }